IPSec VTIs (Virtual Tunnels Interfaces) simplifies the configuration of a VPN compared to using crypto maps or GRE IPSec Tunnels. A benefit of using VTIs does not require of tying a configuration to a physical interface, rather allowing bespoke configuration per VTI. You can use a dynamic routing protocol (EIGRP, OSPF etc) or QoS defined per VTI.

VTI Configuration Example using defaults

To setup a basic VTI based site-to-site VPN you can use the Crypto defaults (ISAKMP Policy, IPSec Transform Set and IPSec Profile), in addition to the VTI the only crypto configuration needs to be a Pre-Shared Key.

Verify IKE and IPSec SAs

Use the command “show crypto isakmp sa detail” to confirm the parameters used in IKE Phase 1.

Use the command “show crypto isakmp policy” to display the parameters of the ISAKMP Policies. From the output above and below we can determine ISAKMP Policy 10 was used to complete IKE Phase 1 (note using DH group 15).

With the state of IKE Phase 1 in “QM_IDLE” we can determine the IKE (ISAKMP) SAs between the 2 peers are established correctly.

Use the command “show crypto ipsec sa” to display the IPSec SA. Confirm packets are being successfully encrypted and decrypted.

You can also determine which transform is being used in IKE Phase 2. Confirm this by using the command “show crypto ipsec transform-set”. In this instance the default transform-set is being used (esp-aes esp-sha-hmac).